I'm not sure if this is new news, but like many of you I'm concerned about password strength for accessing my accounts. I recently emailed my VG representative on this, and he replied that VG now allows symbols as part of the password login:

I have spoken with our Web Technical Support Services and they told me that you can now put symbols in your password, but not your user name. We haven't really advertised this yet because of how many people use third
party vendors to access their Vanguard accounts.

With just alpha and numeric choices in ten digits, there were 3.65 quadrillion possibilities for someone to guess from. More actually since that's using exactly ten characters and there are more if you include using less than ten characters.

I don't know how many special characters you can choose from, but if there are ten additional characters, that gives 42.4 quadrillion possibilities, plus.....

I'm still OK with 3.65 quadrillion possibilities to attack, but if it makes you feel safer it's a prudent thing to do.

Instead of relying on the physical keyboard to type and enter data, you can use On-Screen Keyboard. On-Screen Keyboard displays a visual keyboard with all the standard keys. You can select keys using the mouse or another pointing device, or you can use a single key or group of keys to cycle through the keys on the screen.

Open On-Screen Keyboard by clicking the Start button , clicking All Programs, clicking Accessories, clicking Ease of Access, and then clicking On-Screen Keyboard.

JimHalpert wrote:i don't use vista, but here is a cut and paste from microsoft:

Type without using the keyboard (On-Screen Keyboard)

Instead of relying on the physical keyboard to type and enter data, you can use On-Screen Keyboard. On-Screen Keyboard displays a visual keyboard with all the standard keys. You can select keys using the mouse or another pointing device, or you can use a single key or group of keys to cycle through the keys on the screen.

Open On-Screen Keyboard by clicking the Start button , clicking All Programs, clicking Accessories, clicking Ease of Access, and then clicking On-Screen Keyboard.

Cool, I just logged into vg using this program and to log onto reply to this message. Thanks!

JimHalpert wrote:i don't use vista, but here is a cut and paste from microsoft:

Type without using the keyboard (On-Screen Keyboard)

Instead of relying on the physical keyboard to type and enter data, you can use On-Screen Keyboard. On-Screen Keyboard displays a visual keyboard with all the standard keys. You can select keys using the mouse or another pointing device, or you can use a single key or group of keys to cycle through the keys on the screen.

Open On-Screen Keyboard by clicking the Start button , clicking All Programs, clicking Accessories, clicking Ease of Access, and then clicking On-Screen Keyboard.

That's pretty slick and even works on my Windows XP system.

I'm not interested, but thanks for posting that for those who are concerned about key loggers.

Please use a password database. I've been using KeePass for years, now migrating to LastPass. A long random password for each site, and a master password encrypting the database.

Plus, you don't have to deal with a virtual keyboard in order to thwart keyloggers.

I'm unhappy Vanguard limits passwords to 10 characters.

I believe that if you think about it, there's really almost no risk. Again, the bad guy gets only three tries at your login. Unless your password is one of the truly horrendous ones, what's going to happen?

Please use a password database. I've been using KeePass for years, now migrating to LastPass. A long random password for each site, and a master password encrypting the database.

Plus, you don't have to deal with a virtual keyboard in order to thwart keyloggers.

I'm unhappy Vanguard limits passwords to 10 characters.

I believe that if you think about it, there's really almost no risk. Again, the bad guy gets only three tries at your login. Unless your password is one of the truly horrendous ones, what's going to happen?

Drain wrote:I believe that if you think about it, there's really almost no risk. Again, the bad guy gets only three tries at your login. Unless your password is one of the truly horrendous ones, what's going to happen?

This protects from external attacks but not internal attacks. If someone manages to steal the database of password hashes (this is NOT particularly uncommon; most recently, see: Sony) then they get as many tries as they want. It's much easier to crack a password when you have the hash if you know it's limited to 10 characters or if you know of other limits (e.g. no symbols allowed) than if it could be of any length or content.

Drain wrote:I believe that if you think about it, there's really almost no risk. Again, the bad guy gets only three tries at your login. Unless your password is one of the truly horrendous ones, what's going to happen?

This protects from external attacks but not internal attacks. If someone manages to steal the database of password hashes (this is NOT particularly uncommon; most recently, see: Sony) then they get as many tries as they want. It's much easier to crack a password when you have the hash if you know it's limited to 10 characters or if you know of other limits (e.g. no symbols allowed) than if it could be of any length or content.

Good point. I don't know how common or uncommon that sort of theft is, but I agree that a stronger password is better. As someone who uses a password manager (Lastpass), I'd certainly prefer the ability to use as strong as password as I want.

I have been a satisfied user of RoboForm for many years. They now offer an online version, but I like the "thick" version on my computer. I also have the "portable" version on a USB stick when away from home.

I am not sure how the features totally compare to the two options above, but I am totally happy with Roboform.